Privacy Policy¶
Company: AutoCyber AI Pty Ltd (ABN 22 697 087 166) Effective date: 27 May 2026 Last updated: 27 May 2026 Contact: privacy@crprotocol.io
1. Who we are¶
AutoCyber AI Pty Ltd (ABN 22 697 087 166) is an Australian company. We author and maintain the Context Relay Protocol™ (CRP) open-source project, operate crprotocol.io, and publish the CRP product family (CRP Comply, CRP Gateway, CRP Visualise, CRP Scan, CRP Scribe).
This policy describes how we collect, use, store, and protect personal data in connection with:
- The crprotocol.io website and documentation
- The CRP open-source library (PyPI:
crprotocol) - CRP product accounts and trials
- Standards body correspondence (IETF, IANA, IEEE SA, ISO, NIST)
2. Data we collect and why¶
2.1 Website visits (crprotocol.io)¶
| Data | Purpose | Legal basis |
|---|---|---|
| Server access logs (IP, referrer, user agent, timestamp) | Security monitoring, abuse prevention | Legitimate interest (Art. 6(1)(f) GDPR) |
| Anonymous page-view counts (no cookies) | Understand documentation usage | Legitimate interest |
We do not use Google Analytics, third-party tracking pixels, or behavioural advertising on crprotocol.io. Analytics are privacy-respecting and aggregate only.
2.2 Email and contact forms¶
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email address, message content | Responding to your enquiry | Contract / legitimate interest |
| Standards body correspondence | Standards submission and review | Legitimate interest |
2.3 GitHub interactions¶
GitHub (Microsoft Inc.) processes data when you open issues, pull requests, or discussions on our public repository. That processing is governed by GitHub's Privacy Statement.
2.4 Product accounts (CRP Comply, CRP Gateway, etc.)¶
Product-specific privacy notices are available within each product. General terms:
| Data | Purpose | Legal basis |
|---|---|---|
| Account email and name | Account access and billing | Contract (Art. 6(1)(b) GDPR) |
| API usage metrics | Quota management, billing | Contract |
| Session trace data (if runtime proxy enabled) | AI audit trail per CRP spec | Contract + legal obligation |
| Payment data | Billing (processed by Stripe — never stored by us) | Contract |
3. Cookies¶
crprotocol.io uses no advertising or tracking cookies. We set only:
| Cookie | Purpose | Duration |
|---|---|---|
__Secure-mkdocs_palette |
Remembers your dark/light theme preference | Session / 30 days |
For a full cookie breakdown see our Cookie Policy.
4. Data sharing and transfers¶
We do not sell your personal data.
We share data only with:
| Recipient | Purpose | Safeguard |
|---|---|---|
| Railway (hosting infrastructure) | Application hosting | Standard Contractual Clauses (SCCs); EU-equivalent adequacy |
| GitHub / Microsoft | Source code hosting, CI | SCCs; Privacy Shield successor framework |
| Stripe | Payment processing | Stripe's Privacy Policy; PCI-DSS compliance |
| Brevo (Sendinblue) | Transactional email | SCCs |
International transfers: Our infrastructure is hosted in the United States (Railway, GitHub). Transfers are protected by SCCs under GDPR Art. 46. Australian-resident users: transfers are consistent with the Australian Privacy Act 1988 (Cth) and APP 8 overseas disclosure obligations.
5. Data retention¶
| Category | Retention |
|---|---|
| Server access logs | 90 days |
| Email correspondence | 24 months, then deleted or anonymised |
| Product session traces | Per-product configuration; default 12 months; deletable on request |
| Billing records | 7 years (Australian tax law) |
| Standards body submissions | Indefinite (public record) |
6. Your rights¶
If you are located in the European Economic Area, UK, or Switzerland, you have the following rights under the GDPR / UK GDPR:
- Access — request a copy of your data (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — "right to be forgotten" (Art. 17)
- Restriction — limit our processing (Art. 18)
- Portability — receive your data in a structured format (Art. 20)
- Object — object to legitimate-interest or direct-marketing processing (Art. 21)
If you are located in Australia, you have rights under the Privacy Act 1988 (Cth) including access to and correction of your personal information (APPs 12 and 13).
To exercise any right, email privacy@crprotocol.io. We will respond within 30 days (GDPR standard) or 30 days (Australian Privacy Act).
7. Security¶
We implement the following controls to protect your data:
- TLS 1.2+ on all production endpoints
- Encryption at rest for sensitive product data (libsodium)
- Minimal data collection — we don't collect what we don't need
- Access controls — team access to personal data is need-to-know only
- Incident response — GDPR Art. 33 breach notification within 72 hours to the relevant authority and Art. 34 notification to affected individuals where required
See our Information Security Policy for the full posture.
8. Children¶
CRP and crprotocol.io are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have done so, contact privacy@crprotocol.io.
9. Changes to this policy¶
We will update this policy when our practices change materially. We will announce significant changes via the CHANGELOG. Continued use after the updated effective date constitutes acceptance.
10. Contact and complaints¶
| Purpose | Contact |
|---|---|
| Privacy questions | privacy@crprotocol.io |
| Security incidents | security@crprotocol.io |
| General | info@crprotocol.io |
If you are unsatisfied with our response, you may lodge a complaint with:
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- EU/EEA: Your local Data Protection Authority (DPA)
- UK: Information Commissioner's Office (ICO) — ico.org.uk
AutoCyber AI Pty Ltd · ABN 22 697 087 166 · Sydney, Australia Context Relay Protocol™ is a trademark of Constantinos Vidiniotis / AutoCyber AI Pty Ltd.